Skip to main content

GnuTLS CVE-2026-42014

| EUVDEUVD-2026-37029 MEDIUM
Expired Pointer Dereference (CWE-825)
2026-06-16 redhat GHSA-m4m5-7xc2-xc7g
6.6
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
6.6 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
vuln.today AI
6.6 MEDIUM

Local attack vector with low-privilege requirement reflects PKCS#11 token access; use-after-free drives A:H with limited memory leakage (C:L/I:L); no scope change as impact is process-contained.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
Ubuntu
MEDIUM
qualitative
SUSE
4.0 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Red Hat
MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 16, 2026 - 02:18 vuln.today
CVE Published
Jun 16, 2026 - 00:49 cve.org
MEDIUM 6.6

DescriptionCVE.org

A flaw was found in GnuTLS. The gnutls_pkcs11_token_set_pin function, used for changing the Security Officer PIN, can lead to a use-after-free vulnerability. This occurs when an attacker attempts to change the PIN with a NULL old PIN for a token that lacks a protected authentication path.

AnalysisAI

Use-after-free memory corruption in GnuTLS's PKCS#11 PIN management function gnutls_pkcs11_token_set_pin enables a local low-privileged attacker to crash the process and potentially corrupt memory on systems where PKCS#11 tokens are deployed without a protected authentication path. Affected deployments span Red Hat Enterprise Linux 6 through 10, Red Hat Hardened Images, and Red Hat OpenShift Container Platform 4, as confirmed by Red Hat (reporter) and covered under GnuTLS upstream advisory GNUTLS-SA-2026-04-29-9. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Technical ContextAI

GnuTLS is a widely deployed open-source TLS/SSL/DTLS cryptographic library used across the Red Hat ecosystem including RHEL 6-10, Hardened Images, and OpenShift Container Platform 4 (CPE strings confirm all these product lines). PKCS#11 is the OASIS standard interface for interacting with cryptographic hardware tokens such as HSMs and smart cards. The Security Officer (SO) PIN is a privileged credential used in PKCS#11 to administer token state, separate from the standard user PIN. The function gnutls_pkcs11_token_set_pin handles SO PIN changes but contains a logic flaw when the caller supplies a NULL value for the old PIN on a token that does not implement a protected authentication path (i.e., a token that relies on software-supplied PINs rather than hardware PIN entry). Under this condition, the function dereferences a pointer to memory that has already been freed or is otherwise invalid. CWE-825 (Expired Pointer Dereference) is the root cause class - a variant of use-after-free where a dangling or freed pointer is read or written, leading to undefined behavior including crashes, memory disclosure, or controlled memory writes.

RemediationAI

Apply the available Red Hat security advisories: RHSA-2026:20611, RHSA-2026:20612, and RHSA-2026:20613, accessible at https://access.redhat.com/errata/RHSA-2026:20611, https://access.redhat.com/errata/RHSA-2026:20612, and https://access.redhat.com/errata/RHSA-2026:20613 respectively. These advisories cover the affected RHEL and OpenShift product lines. For upstream GnuTLS, monitor https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-9 for a patched release version, which is not independently confirmed from current reference data. If immediate patching is not feasible, the most actionable compensating controls are: restrict local user access to processes that invoke PKCS#11 token management operations (e.g., via SELinux policy or process privilege separation); use only PKCS#11 tokens that implement a protected authentication path (hardware PIN entry), as the vulnerability is not triggered in that configuration; and audit which local users have access to PKCS#11 token management interfaces and reduce that access surface. Note that restricting PKCS#11 access may impact smart card login, certificate operations, and HSM-backed key management workflows.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

CVE-2026-0966 HIGH
8.2 Mar 26

Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces

Vendor StatusVendor

Ubuntu

Priority: Medium
gnutls28
Release Status Version
xenial needs-triage -
bionic needs-triage -
focal needs-triage -
upstream released 3.8.13
jammy released 3.7.3-4ubuntu1.9
noble released 3.8.3-1.1ubuntu3.6
questing released 3.8.9-3ubuntu2.2
resolute released 3.8.12-2ubuntu1.1

Debian

Bug #1135319
gnutls28
Release Status Fixed Version Urgency
bullseye fixed 3.7.1-5+deb11u10 -
bullseye (security) fixed 3.7.1-5+deb11u10 -
bookworm fixed 3.7.9-2+deb12u7 -
bookworm (security) fixed 3.7.9-2+deb12u7 -
trixie fixed 3.8.9-3+deb13u4 -
trixie (security) fixed 3.8.9-3+deb13u4 -
forky, sid fixed 3.8.13-1 -
(unstable) fixed 3.8.13-1 -

SUSE

Severity: Moderate
Product Status
Container suse/manager/5.0/x86_64/server:5.0.8.7.44.2 Image SLES15-SP6 Image SLES15-SP6-Azure-3P Image SLES15-SP6-Azure-Basic Image SLES15-SP6-Azure-Standard Image SLES15-SP6-BYOS Image SLES15-SP6-BYOS-Azure Image SLES15-SP6-BYOS-EC2 Image SLES15-SP6-BYOS-GCE Image SLES15-SP6-CHOST-BYOS Image SLES15-SP6-CHOST-BYOS-Aliyun Image SLES15-SP6-CHOST-BYOS-Azure Image SLES15-SP6-CHOST-BYOS-EC2 Image SLES15-SP6-CHOST-BYOS-GCE Image SLES15-SP6-CHOST-BYOS-GDC Image SLES15-SP6-CHOST-BYOS-SAP-CCloud Image SLES15-SP6-EC2 Image SLES15-SP6-EC2-ECS-HVM Image SLES15-SP6-GCE Image SLES15-SP6-HPC Image SLES15-SP6-HPC-Azure Image SLES15-SP6-HPC-BYOS Image SLES15-SP6-HPC-BYOS-Azure Image SLES15-SP6-HPC-BYOS-EC2 Image SLES15-SP6-HPC-BYOS-GCE Image SLES15-SP6-HPC-EC2 Image SLES15-SP6-HPC-GCE Image SLES15-SP6-Hardened-BYOS Image SLES15-SP6-Hardened-BYOS-Azure Image SLES15-SP6-Hardened-BYOS-EC2 Image SLES15-SP6-Hardened-BYOS-GCE Image SLES15-SP6-SAP Image SLES15-SP6-SAP-Azure Image SLES15-SP6-SAP-EC2 Image SLES15-SP6-SAP-GCE Image SLES15-SP6-SAPCAL Image SLES15-SP6-SAPCAL-Azure Image SLES15-SP6-SAPCAL-EC2 Image SLES15-SP6-SAPCAL-GCE Image SLES15-SP7-Azure-3P Image SLES15-SP7-Azure-Basic Image SLES15-SP7-Azure-Standard Image SLES15-SP7-BYOS-Azure Image SLES15-SP7-BYOS-EC2 Image SLES15-SP7-BYOS-GCE Image SLES15-SP7-EC2 Image SLES15-SP7-EC2-ECS-HVM Image SLES15-SP7-GCE Image SLES15-SP7-HPC-BYOS-Azure Image SLES15-SP7-HPC-BYOS-EC2 Image SLES15-SP7-HPC-BYOS-GCE Image SLES15-SP7-Hardened-BYOS-Azure Image SLES15-SP7-Hardened-BYOS-EC2 Image SLES15-SP7-Hardened-BYOS-GCE Image SLES15-SP7-SAP-Azure Image SLES15-SP7-SAP-Azure-3P Image SLES15-SP7-SAP-BYOS-Azure Image SLES15-SP7-SAP-BYOS-EC2 Image SLES15-SP7-SAP-BYOS-GCE Image SLES15-SP7-SAP-GCE Image SLES15-SP7-SAP-Hardened-Azure Image SLES15-SP7-SAP-Hardened-BYOS-Azure Image SLES15-SP7-SAP-Hardened-BYOS-EC2 Image SLES15-SP7-SAP-Hardened-BYOS-GCE Image SLES15-SP7-SAP-Hardened-GCE Image SLES15-SP7-SAPCAL-Azure Image SLES15-SP7-SAPCAL-EC2 Image SLES15-SP7-SAPCAL-GCE Affected
Image SL-Micro-Azure Image SL-Micro-BYOS-Azure Image SL-Micro-BYOS-EC2 Image SL-Micro-BYOS-GCE Image SL-Micro-Base Image SL-Micro-Base-RT Image SL-Micro-Base-RT-SelfInstall Image SL-Micro-Base-RT-encrypted Image SL-Micro-Base-SelfInstall Image SL-Micro-Base-encrypted Image SL-Micro-Base-qcow Image SL-Micro-EC2 Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE Image SUSE-Multi-Linux-Manager-Proxy-BYOS-Azure Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-Azure-llc Image SUSE-Multi-Linux-Manager-Server-Azure-ltd Image SUSE-Multi-Linux-Manager-Server-BYOS-Azure Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-EC2-llc Image SUSE-Multi-Linux-Manager-Server-EC2-ltd Affected
Image SLES-Azure-3P Image SLES-Azure-Basic Image SLES-Azure-Standard Image SLES-BYOS-Azure Image SLES-BYOS-EC2 Image SLES-BYOS-GCE Image SLES-EC2 Image SLES-EC2-ECS Image SLES-GCE Image SLES-GCE-3P Image SLES-Hardened-BYOS-Azure Image SLES-Hardened-BYOS-EC2 Image SLES-Hardened-BYOS-GCE Image SLES-SAPCAL-Azure Image SLES-SAPCAL-EC2 Image SLES-SAPCAL-GCE Affected
Image SLES-SAP-Azure Image SLES-SAP-Azure-3P Image SLES-SAP-BYOS-Azure Image SLES-SAP-BYOS-EC2 Image SLES-SAP-BYOS-GCE Image SLES-SAP-EC2 Image SLES-SAP-GCE Image SLES-SAP-GCE-3P Affected
Image SLES15-SP4-BYOS Image SLES15-SP4-BYOS-Azure Image SLES15-SP4-BYOS-EC2 Image SLES15-SP4-BYOS-GCE Image SLES15-SP4-CHOST-BYOS Image SLES15-SP4-CHOST-BYOS-Aliyun Image SLES15-SP4-CHOST-BYOS-Azure Image SLES15-SP4-CHOST-BYOS-EC2 Image SLES15-SP4-CHOST-BYOS-GCE Image SLES15-SP4-CHOST-BYOS-SAP-CCloud Image SLES15-SP4-HPC-BYOS Image SLES15-SP4-HPC-BYOS-Azure Image SLES15-SP4-HPC-BYOS-EC2 Image SLES15-SP4-HPC-BYOS-GCE Image SLES15-SP4-HPC-EC2 Image SLES15-SP4-HPC-GCE Image SLES15-SP4-Hardened-BYOS Image SLES15-SP4-Hardened-BYOS-Azure Image SLES15-SP4-Hardened-BYOS-EC2 Image SLES15-SP4-Hardened-BYOS-GCE Image SLES15-SP4-SAP Image SLES15-SP4-SAP-Azure Image SLES15-SP4-SAP-EC2 Image SLES15-SP4-SAP-GCE Image SLES15-SP4-SAPCAL Image SLES15-SP4-SAPCAL-Azure Image SLES15-SP4-SAPCAL-EC2 Image SLES15-SP4-SAPCAL-GCE Image SLES15-SP5-Azure-3P Image SLES15-SP5-Azure-Basic Image SLES15-SP5-Azure-Standard Image SLES15-SP5-BYOS-Azure Image SLES15-SP5-BYOS-EC2 Image SLES15-SP5-BYOS-GCE Image SLES15-SP5-CHOST-BYOS-Aliyun Image SLES15-SP5-CHOST-BYOS-Azure Image SLES15-SP5-CHOST-BYOS-EC2 Image SLES15-SP5-CHOST-BYOS-GCE Image SLES15-SP5-CHOST-BYOS-GDC Image SLES15-SP5-CHOST-BYOS-SAP-CCloud Image SLES15-SP5-EC2 Image SLES15-SP5-GCE Image SLES15-SP5-HPC-Azure Image SLES15-SP5-HPC-BYOS-Azure Image SLES15-SP5-HPC-BYOS-EC2 Image SLES15-SP5-HPC-BYOS-GCE Image SLES15-SP5-Hardened-BYOS-Azure Image SLES15-SP5-Hardened-BYOS-EC2 Image SLES15-SP5-Hardened-BYOS-GCE Image SLES15-SP5-SAPCAL-Azure Image SLES15-SP5-SAPCAL-EC2 Image SLES15-SP5-SAPCAL-GCE Affected

Share

CVE-2026-42014 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy